DIGITALEUROPE response to public consultation on Article 29 Data Protection Working Party draft guidelines on personal data breach notification under Regulation 2016-679

INTRODUCTION

DIGITALEUROPE welcomes the opportunity to comment on the draft data breach notification guidelines published by the Article 29 Working Party (WP29). It is essential that the guidance published by the WP29 accurately reflects the scope of the data breach articles in the General Data Protection Regulation (GDPR). DIGITALEUROPE engaged closely in the legislative debate and worked closely with policy makers in shaping the text, giving us insight into the intentions behind specific provisions. Our members include digital companies with significant European presence and European national trade associations, representing large, medium and small companies in the technology sector from across the continent. We have experience with the 60+ mandatory data breach regimes at national and state level around the world.

As such, we would like to provide our feedback on our interpretation of the legal provisions in the GDPR but also our practical experience from existing regimes. For many sections of the guidance, we are comfortable with the interpretation provided by WP29. In the interest of providing focused feedback, however, we have chosen to largely limit our comments to topics where we have concerns or would like additional clarification.